Ponzi Schemes on Ethereum
The market value of all crypto-assets has reached over AUD2.7trn; speculators, asset managers, and communities are devoted to their success. But, it is also the perfect breeding ground for fraud, criminals and tax-evaders.
On Nov 1, SQUID coin, a cryptocurrency deriving it's name and theme from the Netflix tv hit 'Squid Game', plummeted in price from almost USD$3000 to $0 in just 10 minutes. It started with investors realising they couldn't sell their holdings and ended with the SQUID coin developers draining the liquidity pool (the collection of investments into the coin).
Innovation is a double-edged sword; digital currencies are no exception. Fraudsters prey on the anonymity and decentralisation of the crypto-world. And it works. The SQUID coin scam is called a “rug pull”, and whilst we recommend you read up about it, it's not what we're going to be talking about in this article.
Instead, we'll be focusing on a similar scam: Ponzi schemes, specifically on the Ethereum network. Ponzi schemes have been around for a long time but have become far more dangerous in the new world of decentralised finance.
So what are Ponzi Schemes? How do they use the Ethereum network? How do you know if you've signed up for one? What can we do about it?
Thanks to the brilliant research of academics from Universita degli Studi di Cagliari in Italy, 'Dissecting Ponzi schemes on Ethereum: Identification, analysis, and impact', we can start to unpack these questions.
What's a Ponzi scheme?
In simple terms, a Ponzi scheme is a fraudulent fund set up to lure investors under a false promise of large profits and low risk. The trick is, the fraudsters behind Ponzi schemes never actually trade or invest the money they are given. They simply use new investments to pay back old investments plus any returns promised.
As long as Ponzi scheme developers can find enough new investors and convince them to not pull their money, the scheme survives.
To demonstrate, let's pretend Elucidate set up a Ponzi scheme promising to double your money. All we ask for is a modest 1% fee.
With our brilliant marketing, investors give Elucidate $20 million in our first round raise.
We make $200,000 off our fee, leaving the pot at $19.8 million.
You go tell your friends that you're going to double your money with almost no risk. This hype gets us $30 million in our second round raise.
We make another $300,000 off the fee and Elucidate is half a million dollars richer. The pot is at $49.5 million. We now use $40 million of that pot to pay back the first-round investors. They just doubled their money and are happy.
This creates more hype as it 'validates' our fund. In our third round raise we manage to get $50 million. Of course, we take our $500,000 fee and now the Elucidate founders have $1 million dollars. The pot sits at $59 million.
We'd like to double the money of the second round investors to continue the hype, but we need $60 million to do that. So how do we keep the Ponzi scheme going? As long as we can find new investors, we can double the old investors money by using new investors money. And all the while, we get our lovely profits.
But if we can't get new investors and/or when lots of people start asking for their funds back, the Elucidate Ponzi scheme implodes. Ponzi schemes need hype and trust to succeed. We need more investors each round (think of it as exponential growth); the rate of the increase in investors depends on both our fee and the return we promise.
The biggest Ponzi scheme in history was run by the infamous Bernie Madoff and went on for over 33 years. It finally ended in the '08-09 crisis when he couldn't get any new investors and altogether, investors lost $65 billion. He was sentenced to 150 years in prison. Have a read about his scheme because it's truly fascinating. The reason his fund was able to last so long was partly because it promised 14-20% return, not 100% like the fake Elucidate fund.
It's very unlikely you see Ponzi schemes operating in equity markets in 2021. But on Ethereum using smart contracts? Well, that is a different story.
Where do smart contracts come in?
Fraudsters code up Ponzi schemes in the form of smart contracts and run them on the Ethereum Blockchain.
Smart contracts are simply contracts recorded in the form of computer code. Think about life insurance: a smart contract would encode the terms and in the event of a passing, a death certificate would trigger the smart contract to pay the beneficiaries the specified amount.
The thing to note is that there's no need for a third party to facilitate the transaction (think, a stockbroker). Smart contracts are self-executed on a public un-hackable network that's controlled by computers.
Smart contracts lie in a grey area of legal systems, and so are a perfect breeding ground for fraud. Importantly:
The fraudster is completely anonymous. You don't need to reveal your identity when creating a smart contract or withdrawing money from it.
The scheme cannot be terminated by any central authority like a court of law. Smart contracts are 'unmodifiable' and 'unstoppable'.
It is easier for the fraudster to appear trustworthy. The code of smart contracts are public, can't be changed, and their execution is automatically enforced. Investors may believe the owner of the smart contract cannot take advantage of their money. Therefore, it is easier to find new investors.
If there is ever a place in 2021 where you can double your money, it's in crypto. On top of this, the crypto asset management business is relatively young. As such, Ponzi schemes on Etheruem are particularly luring for people who want to get rich quick.
You can have a look at the code for one smart Ponzi scheme in the additional reading section of the article.
The paper's findings
The researchers used an open source tool and four conditions to find 184 Ponzi schemes on the Ethereum Blockchain. The conditions are explained in the additional reading section.
One Ponzi scheme was called 'Doubler2' and it promised to double everyone's investment just like our imaginary Elucidate 'fund'. There were 210 investors in this scheme; some doubled their money, some didn't make anything at all. 142 lost money...
Out of the 184 smart Ponzi schemes, many have errors in their code that further harm investors but are profitable to the fraudster. See more about this in the additional reading section.
The percentage of users not gaining anything is around 70% and the difference between new investments and payouts is almost zero. If no money is "escaping the system" and 70% aren't gaining anything, then someone has to be making some sweet profit. Well, it turns out that for most of the Ponzi schemes, there's usually one or two users who have exceptionally high returns that actually either invest very little or nothing at all. Sounds like the fraudsters to us.
This shows that there are large distributions of wealth in Ponzi schemes. Some win big and some lose big.
Approximately 60% of Ponzi schemes have a lifetime close to 0 days. This is usually because they were advertised in forums or dedicated websites but couldn't attract any users.
You can check out all of the Ponzi schemes the researchers found on their public dataset here.
What can we do about this?
Analyse the transaction logs.
As Ponzi schemes are smart contracts, you can see the public transaction logs. The transaction logs of Ponzi schemes will typically show that most users either never receive money back or only a fraction of what was invested. They also normally have a short lifespan which usually has a peak of intense activity followed by stagnation.
These features aren't really enough to know when a contract is a Ponzi scheme. But for the coders out there, you could combine these features to train classifiers which automatically detect Ponzi schemes. Automatic classification of Ponzi schemes from these transaction logs can have high levels of accuracy.
Educating yourself.
Almost all of the 184 Ponzi schemes on Ethereum that the paper studied presented "high-yield" investment opportunities — promising high returns with low or no risk. Some Ponzi schemes were promoted as a "social game". But still, all of these social games needed players to transfer money with the allure of sweet profits.
If it looks too good to be true, it probably is. You can use websites like BadBitcoin to see a blacklist of crypto-based scams or the "Gambling: Investor-based games" forum on Bitcointalk.org for discussions on crypto scams.
Analyse the contract code.
Remember how fraudsters love to sell their smart contract Ponzi schemes by saying that the code is publicly accessible, immutable and has decentralised execution? This is true, but not everyone can read it, understand it, and figure out its reliability.
Researchers are developing ways to automatically analyse Ethereum contracts to detect common vulnerabilities like those shown above.
You can use websites to guarantee that the contract owner does not secretively steal funds, for example.
Final thoughts
No intermediation. No authorities. These features are at the core of the new wave of cryptocurrencies. Money can be transferred securely and almost entirely anonymously, making crypto perfect for criminals. Ponzi schemes are alive and well in crypto markets.
We will leave you with one final finding of the paper: a massive spike in Ponzi schemes was seen on Ethereum in April 2016; instances have significantly dropped ever since. Whilst it might seem like Ponzi schemes have vanished, the paper's authors believe they have just warped into something far more difficult to detect.
More discussions (Additional reading)
Here, we discuss the criteria for a smart Ponzi scheme, a look at the code for the Doubler2 smart Ponzi scheme (equivalent to the imaginary Elucidate fund) and the error in some code.
Conditions for a smart Ponzi scheme
The paper classifies a smart contract as a Ponzi scheme if it satisfies these conditions:
The contract distributes money among investors, according to some logic.
The contract received money only from investors.
Each investor makes a profit if enough investors invest enough money in the contract afterwards.
The later an investor joins the contract the greater the risk of losing his investment.
The first and second condition together shows how a Ponzi scheme uses funds from new investors to pay back the 'promised' returns to existing investors. The third requirement reflects that Ponzi schemes need a constant flow of money from new investors to survive. Finally, the fourth condition implies that the schemes inevitably implode because it becomes increasingly hard to find new investors
Code for the Doubler2 Ponzi scheme
This stylized Solidity code shows the smart contract implementation of this scheme that promises to double your money.
Every time a new investor joins the party, the join() function is called and performs some tasks. Look in the last 'block' of code:
Line 21 (user.push): Adds the new user to the list of investors with the amount they invested.
Line 23 (owner.transfer) : Transfers 1% to the owner.
Lines 24–27 (while loop): Pay as many of the early investors as possible using what’s in the pot.
Error in smart Ponzi scheme code
In many of the Ponzi schemes, the command that sends money back to investors was often misused. If the command fails, it returns an error code and if the contract does not check the error, it can't acknowledge that there's been a problem. So, when there are errors with this command, the money remains in the contract, while the user does not receive anything. Even when this command is checked, an improper handling of their return value can backfire, and can expose the scheme to Denial-of-Service attacks or blackmailing.